unbound freebsd 14.3 установка настройка

Кол-во просмотров: 249

Обновлено 27.11.2025

Unbound — это легкий, высокопроизводительный рекурсивный DNS-резолвер, который можно использовать для повышения скорости и безопасности разрешения DNS. FreeBSD включает Unbound в свою базовую систему, что упрощает настройку и конфигурирование. Это руководство поможет вам установить, настроить и защитить Unbound как локальный DNS-резолвер на FreeBSD.

1. Understanding Unbound

Unbound — это проверяющий, кэширующий и рекурсивный DNS-распознаватель. При настройке в качестве локального распознавателя он напрямую запрашивает авторитетные DNS-серверы вместо того, чтобы полагаться на вышестоящего поставщика, такого как DNS вашего интернет-провайдера или Google Public DNS. Это повышает конфиденциальность, уменьшает задержку и повышает общую надежность.

Benefits of Using Unbound

• Improved Performance: Caches DNS responses for faster lookup times.
• Better Privacy: Reduces reliance on third-party DNS services.
• Security Features: Supports DNSSEC for secure and validated DNS responses.
• Customizable: Allows fine-tuning of DNS configurations for specific needs.

2. Installing Unbound on FreeBSD

On FreeBSD, Unbound comes pre-installed in the base system. However, if you need additional features or a newer version, you can install it from ports or packages.

Verify if Unbound is Installed

unbound -V

If Unbound is not installed, you can install it using:

pkg install unbound

3. Configuring Unbound as a Local Resolver

Edit the Unbound Configuration File

The primary configuration file for Unbound is located at:

/usr/local/etc/unbound/unbound.conf

Use your preferred text editor to modify the configuration file:

vi /usr/local/etc/unbound/unbound.conf

Basic Configuration Example

Below is a minimal working configuration for a local resolver:

server:
    verbosity: 1
    interface: 127.0.0.1
    interface: ::1
    access-control: 127.0.0.1/8 allow
    access-control: ::1 allow
    root-hints: "/usr/local/etc/unbound/root.hints"
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    cache-min-ttl: 3600
    cache-max-ttl: 86400
    prefetch: yes
    num-threads: 2
    rrset-roundrobin: yes
    minimal-responses: yes
    hide-identity: yes
    hide-version: yes
    qname-minimisation: yes
    module-config: "validator iterator"
    val-log-level: 2
    val-permissive-mode: no

forward-zone:
    name: "."
    forward-addr: 1.1.1.1
    forward-addr: 8.8.8.8

Explanation of Key Settings

• interface: Specifies which network interfaces Unbound listens on.
• access-control: Defines which IPs can use this resolver.
• root-hints: Points to a file containing root DNS server hints.
• cache settings: Controls how long DNS responses are cached.
• DNSSEC settings: Enables DNS security extensions.
• forward-zone: Specifies upstream resolvers if needed.

4. Fetching Root Hints File

Unbound requires a root hints file for direct resolution. You can download it from the official source:

fetch -o /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.cache

Update this file periodically to keep it current.

5. Enabling and Starting Unbound

To enable Unbound at boot:

echo 'unbound_enable="YES"' >> /etc/rc.conf

Start the Unbound service:

service unbound start

To check the status:

service unbound status

6. Configuring FreeBSD to Use Unbound as a Resolver

To make FreeBSD use Unbound for DNS resolution, update /etc/resolv.conf:

echo 'nameserver 127.0.0.1' > /etc/resolv.conf

This ensures all DNS queries go through your local Unbound instance.

7. Testing Your Configuration

To verify Unbound is working correctly, use:

dig freebsd.org @127.0.0.1

If it resolves successfully, Unbound is functioning correctly.

To check caching, run the same command twice and note the reduced query time on the second attempt.

8. Enabling DNSSEC Validation

Unbound supports DNSSEC to verify the authenticity of DNS responses. Enable it by ensuring these settings are present in /etc/unbound/unbound.conf:

server:
    val-log-level: 2
    val-permissive-mode: no
    trust-anchor-file: "/usr/local/etc/unbound/root.key"

Initialize DNSSEC support:

unbound-anchor -a /usr/local/etc/unbound/root.key

Restart Unbound:

service unbound restart

To verify DNSSEC validation:

dig +dnssec freebsd.org @127.0.0.1

Look for the ad (Authenticated Data) flag in the response.

9. Optimizing and Securing Unbound

Blocking Ads and Trackers

Unbound can block ads and trackers by using blocklists. Add entries to /etc/unbound/unbound.conf:

local-zone: "example.com" static

Replace example.com with known ad domains.

Rate Limiting

To prevent abuse, enable rate limiting:

server:
    ratelimit: 1000

Logging Queries

For troubleshooting, enable logging:

server:
    log-queries: yes
    log-replies: yes
    logfile: "unbound.log"

Ensure Unbound can write to this file:

touch /usr/local/etc/unbound/unbound.log
chmod 644 /usr/local/etc/unbound/unbound.log

Restart Unbound:

service unbound restart

10. Conclusion

Setting up Unbound as a local DNS resolver on FreeBSD enhances speed, security, and privacy. By configuring Unbound properly, enabling DNSSEC, and optimizing settings, you can create a reliable and efficient DNS setup tailored to your needs. Regular maintenance, such as updating root hints and monitoring logs, ensures continued performance and security.

With this setup, your FreeBSD system can now resolve domain names efficiently without relying on external DNS providers.

Источник: https://www.siberoloji.com/how-to-configure-unbound-as-a-local-dns-resolver-on-freebsd/